Elevated Privileges?

Started by keslaa, July 28, 2014, 12:43:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

keslaa

July 28, 2014, 12:43:40 PM
Hello. I have written a script that needs to run on a client computer as the logged in user. In most instances, the user will be logged in with normal privileges. The script will traverse the registry under the user's hive and make some simple changes. However, I am having trouble creating the log file. All logs done of any changes to a user's PC are stored in C:\Windows\Logs. Up until now, this has never been a problem as we have run everything as the administrator (everything is deployed via SCCM). I am now getting a 1346 error opening the log file in the above directory. Also, throughout the script, as each section is completed or data is collected, the file will be written to. I incorrectly attempted to use the wntRunAsUser command to open the file and then quickly saw that it cannot be used to elevate privileges. Does anyone have a workaround that will allow me to open/write a log file in C:\Windows\Logs? Thank you.

Eric

Deana

#1
July 28, 2014, 02:57:48 PM
Please provide the Windows platform you are dealing with.
Also is UAC (User Account Control) enabled?
Does the user account the script is being launched from have permissions to write to c:\Windows? 
Deana F.
Technical Support
Wilson WindowWare Inc.

keslaa

#2
July 29, 2014, 04:53:47 AM
Windows 7, 64-bit.
UAC is disabled.
Basic user accounts do NOT have the permissions to write to C:\Windows. I was going to use the local admin account for that piece of the script.

ChuckC

#3
July 29, 2014, 05:40:52 AM
As you discovered, you cannot use wntRunAsUser() from a non-privileged account, and therefore it cannot be used to allow a normal user to "escalate" their privileges to administrator levels.  Also, as you discovered, normal users do not, by default, have any permissions assigned in the file system to allow them to write to C:\Windows or any location under it.

You need to re-think how the script is designed and make a change of some sort.  One possibility is to grant appropriate permissions to C:\Windows\Logs to allow normal users to write to it, and then make sure that this change is applied to all workstations on which the script is executed.  Another possibility is to make the script write to a different location, such as a location created under C:\ProgramData, where it is permissible to create a directory in which normal users can create files.  If desired, a 2nd script could be running that monitors that directory for the creation of new files and then copies them to C:\Windows\Logs and deletes the original files, with the 2nd script running as an admin user account.

keslaa

#4
July 29, 2014, 06:51:22 AM
Quote from: ChuckC on July 29, 2014, 05:40:52 AM
As you discovered, you cannot use wntRunAsUser() from a non-privileged account, and therefore it cannot be used to allow a normal user to "escalate" their privileges to administrator levels. 

Is there a way to do this with WinBatch? In my fuzzy memory, I thought that there was a way to elevate permissions for a section of the code, so long as the appropriate credentials were provided.

Quote
You need to re-think how the script is designed and make a change of some sort...Another possibility is to make the script write to a different location... 
If desired, a 2nd script could be running that monitors that directory for the creation of new files and then copies them to C:\Windows\Logs and deletes the original files, with the 2nd script running as an admin user account.

I was already thinking about this. I'm trying to find a way to do this through an SCCM package. I may have to tackle this as a task sequence instead of a stand-alone package.

etippelt

#5
July 29, 2014, 07:28:50 AM
The simplest all round solution, in my humble opinion, is to run an SCCM job to permission C:\windows\logs to give standard users write permissions in there. I see no security issues with this and it is a logical location for any logs to be written to.  I don't think any more elaborate scheme is really worth spending time on, unless you decide that a "user" log folder is worth setting up in addition to the existing log folder.
Using Winbatch since 1995. Excellent tool, awesome support always.

Deana

#6
July 29, 2014, 08:19:06 AM
Quote from: keslaa on July 29, 2014, 06:51:22 AM
Quote from: ChuckC on July 29, 2014, 05:40:52 AM
As you discovered, you cannot use wntRunAsUser() from a non-privileged account, and therefore it cannot be used to allow a normal user to "escalate" their privileges to administrator levels. 
Is there a way to do this with WinBatch? In my fuzzy memory, I thought that there was a way to elevate permissions for a section of the code, so long as the appropriate credentials were provided.
No, this is due to security limitations implemented on Windows 7. Use one of the suggested workarounds.


Deana F.
Technical Support
Wilson WindowWare Inc.

keslaa

#7
August 07, 2014, 04:59:07 AM
Just to close this up, I ended up creating a group policy to allow writing to C:\Windows\Logs and that was fix enough. Thank you for your responses.

td

#8
August 07, 2014, 06:45:20 AM
Thanks for taking the time to let us know how you resolved your problem. It adds to the collective knowledge that is this forum. 
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade
Print
Go Up Pages1
User actions